NGA Governor's Guideto Cybersecurity

Cyber threats pose serious risks to the core interests of states and territories. In recent years, an endless series of cyberattacks has demonstrated how the integration of computing into all aspects of business, government and personal life exposes data to theft and critical services to disruption.

Terms like “public private partnership” and “information sharing” may strike some as clichéd, but in cybersecurity, they are essential for success. For example, while private companies possess most of our nation’s capability to uncover and defend against cyber crime, only government enjoys the legal authority to pursue and punish perpetrators. Both stakeholder groups must work hand-in-glove to stop cyber criminals. Cybersecurity is a team sport, with many players involved.

The incredibly complex challenges inherent to cybersecurity require a whole-of-state approach guided by multiple agencies. The state chief information officer may lack authority to enact cybersecurity measures across the executive branch. A major cyberattack will demand close coordination between National Guard cyber units, state police and private companies. Formalizing communication pathways between critical stakeholders and ensuring they do not break down is indispensable for a truly strategic approach to state cybersecurity.

Governors need a foundational statewide strategy to guide their cyber efforts. If state agencies each decide their own cyber goals and objectives, a lack of statewide coordination is likely to be a significant vulnerability. A single plan will ensure unity of effort and a stronger cybersecurity posture.

Cybersecurity risk management assumes that perfect security is impossible, and focuses on business priorities, given available resources. Representations of risk management principles have various formulations.

Despite the best efforts of any organization, eventually a hacker will succeed and break into a network. The purpose of incident and disruption response is to maintain operations when things go wrong and avoid worst case scenarios. Resilient organizations and states can minimize damage, quickly identify and mitigate harms, and inform affected parties and the public.

Modern society depends on critical infrastructure facilities, such as transportation networks, telecommunications, water utilities and power plants, that are central not only to daily life, but also to national security. Most of this infrastructure is operated by private companies. Yet because many of these facilities deliver a public good, how their operators implement cybersecurity is a public policy matter.

Criminals commit cyber crimes when the benefits outweigh the costs. Preventing cyber crime depends not only on cybersecurity defenses, but also on a law enforcement enterprise that can identify, indict and convict those who violate state and federal computer crime laws. Some state laws, however, do not prohibit unwanted acts. Many state law enforcement agencies are ill-equipped to enforce the laws that do apply. Additionally, these agencies are subject to damaging cyber crimes as well.

Although frequently omitted from conversations about cybersecurity, K-12 schools and institutions of higher education are under increasing pressure from cyberattacks. Educational institutions provide a perfect target: they hold huge troves of personal, health and financial information; they conduct sensitive research for the military; and they have powerful Internet connections that cyber criminals want to control.

A state’s ability to manage, prevent and mitigate damage from cyberattacks depends on a workforce trained in the relevant skills. Unfortunately, many state agencies, including those focused on IT and cybersecurity, lack sufficient numbers of skilled employees. Building a cybersecurity workforce pipeline will address these challenges as well as grow a state’s economy by creating a new engine for job growth.

Nowhere else is the link between cybersecurity and personal safety more apparent than in healthcare. As health providers integrate computers into more and more patient care operations, cyberattacks that target these systems have a direct impact on citizens’ health. The threat is not hypothetical. Hackers are already targeting hospitals across the country.

As our military has become more focused on cyber as the “fifth domain” of warfare after land, sea, air and space, every state’s National Guard (the Guard) has also developed and now maintains expertise in cybersecurity. These men and women have specialized skills that can be used in limited capacities, and it may be more cost-effective for them to perform the activities than it would for a third-party or full-time employee.

The people of the United States are committed to free and fair elections. Virtually all federal, state and local elections employ computer-based technologies to manage voter-registration data, record votes and tally ballots. Many of these systems suffer from software and physical security flaws that could allow criminals or dedicated foreign adversaries to disrupt voting processes or alter the public’s faith in election results.

Terrorists constantly change their tactics to stay one step ahead; the cyber criminals and nation-states that infiltrate computer systems are no different. As soon as cybersecurity experts resolve one major security flaw, adversaries will exploit another. Unlike counterterrorism, robust cybersecurity depends on much more than intelligence agencies and law enforcement. Securing the nation against cyberattacks requires sharing information between agencies at all levels of government, Fortune 500 companies, small businesses, civil society, academia, and everyday citizens.

As technology becomes more fully integrated with government services and private life, the data it produces must be managed carefully and guarded from malicious hackers. States play an important role in safeguarding privacy, employing cybersecurity measures to protect citizen data, and shaping privacy standards for the private sector.

States are attractive targets: they collect and store massive amounts of personal and financial data, they own and operate critical services, and state agencies are often poorly defended. State income tax return fraud jumped as much as 3700 percent in some states in 2015; after the IRS improved its security, cyber attackers shifted focus to state tax agencies. In 2013, overseas hackers (allegedly from Iran) tried unsuccessfully to compromise critical systems at a New York dam. Some of the most sophisticated cyber hacking tools—once the sole purview of militaries and intelligence agencies—are now widely available to anyone with an Internet connection. States are on the front lines of cybersecurity, and things will get worse before they get better.

Most states and territories have awakened to these concerns, and governors across the nation are taking steps to enhance their risk posture. But cybersecurity policy is difficult. Cyber vulnerabilities pervade the state enterprise, and finding and fixing them demands statewide, public-private coordination. Moreover, a state’s cybersecurity interests extend far beyond defending public networks. For example, an attack on critical infrastructure can have real world, physical outcomes. Consequently, it is imperative that governors understand that cybersecurity is more than an IT issue. Governors are responsible for identifying, pursuing and prosecuting cyber criminals. Businesses count on governors for assistance in fending off and recovering from cyberattacks.

Further, governors should lead the creation of school curricula that ensure individuals are getting the necessary skills to compete in an economy where cybersecurity is a core business risk. In short, cybersecurity is a whole-of-state concern that requires high-level executive engagement.

Governors play an indispensable role in planning, implementing and sustaining state cybersecurity programs. This guide contains the essential information for governors and their staff who want to transform state cybersecurity, reduce risk to business operations, and fulfill their obligation to the public welfare. Three pillars tie the guide together:

RISK-BASED PLANNING
States have limited cybersecurity resources, and perfect cybersecurity is impossible. Leaders must prioritize time and attention based on actual risk to the state and its citizens.

NONSTOP RELATIONSHIP-BUILDING
Staying ahead of innovative cyberattacks requires constant information sharing, which depends on cultivating trust between and among state agencies, federal partners, local government, private industry, and civil society.

This guide is designed to provide each governor with foundational steps toward strengthening their state’s cybersecurity. By implementing these recommendations, states can best position themselves to meet the evolving cyber threat.

Acknowledgements

A Governor’s Guide to Cybersecurity was prepared by the National Governors Association’s Homeland Security & Public Safety Division — Jeffrey McLeod, Timothy Blute, David Forscey, and Michael Garcia — together with Emilian Papadopoulos and Evan Sills of Good Harbor Security Risk Management.